DATA SHEET FortiWeb™ Available in: Appliance Virtual SaaS Cloud Container Machine Web Application and API Protection Highlights FortiWeb 100E, 400E, 600E, 1000E, 2000E, 3000E, 4000E, VM, and Container n Machine learning that detects and blocks threats while minimizing false positives FortiWeb is a web application n Advanced Bot Mitigation firewall (WAF) that protects effectively protect web assets web applications and APIs from without imposing friction on attacks that target known and legitimate users unknown exploits and helps n Protection for APIs, including maintain compliance with those used to support mobile regulations. applications n Enhanced protection with Using machine learning to model each application, FortiWeb Fortinet Security Fabric defends applications from known vulnerabilities and from zero- integration day threats. High performance physical, virtual appliances and n Visual analytics tools for containers deploy on-site or in the public cloud to serve any advanced threat insights size of the organization — from small businesses to service n Third-party integration and providers, carriers, and large enterprises. virtual patching FortiCare Worldwide Web Application Protection 24/7 Support Multi layer protection against the OWASP Top 10 application attacks support.fortinet.com including machine learning to defend against known and unknown attacks. FortiGuard Security Services API Protection www.fortiguard.com Protect your APIs from malicious actors by automatically enforcing positive and negative security policies. Seamlessly integrate API Third-Party Certification security into your CI/CD pipeline. Bot Mitigation Protect websites, mobile applications, and APIs from automated attacks with advanced bot mitigation that accurately differentiates between good bot traffic and malicious bots. FortiWeb Bot Mitigation provides the visibility and control you need without slowing down your users with unnecessary captchas or challenges. 1 DATA SHEET | FortiWeb™ HIGHLIGHTS Comprehensive Web Application Security Using an advanced multi-layered and correlated approach, FortiWeb provides complete security for your web-based Application Traffic applications from the OWASP Top 10 and many other threats. FortiWeb’s first layer of defense uses traditional WAF detection engines (e.g. attack signatures, IP address reputation, protocol validation, and more) to identify and block malicious traffic, powered by intelligence from Fortinet’s industry leading security research from FortiGuard Labs. FortiWeb’s machine learning detection engine then examines Traditional Negative and legitmate traffic Positive Security Models traffic that passes this first layer, using a continuously updated model of your application to identify malicious malicious traffic anomalies and block them as well. potential false positive traffic API Protection Fueling the digital transformation APIs have become Machine Learning increasingly popular, providing the backbone for mobile applications, automated business to business operations and ease of management across applications. However, with their popularity they also increase the attack surface with additional exposed application surfaces that organizations must secure. Fortinet’s FortiWeb web application firewall provides the right tools to address threats to APIs. The Application Receives Clean Traffic FortiWeb integrates out of the box policies together with an FortiWeb goes beyond traditional negative and positive security models (attack automatically generated positive security model policy that is signatures, IP address reputation, protocol validation, and so on), and applies a second layer of machine learning-based analytics to detect and block malicious anomalies while based on your organization’s schema specification (OpenAPI, minimizing false positives. XML and generic JSON are supported schemas) to protect Machine Learning Improves Detection and against API exploits. FortiWeb schema validation can be Drives Operational Efficiency integrated into the CI/CD pipeline, automatically generating an updated positive security model policy once the API is FortiWeb’s multi-layer approach provides two key benefits: updated. superior threat detection and improved operational efficiency. FortiWeb’s ability to detect anomalous behavior relative to Bot Mitigation the specific application being protected enables the solution FortiWeb protects against automated bots, webs scrapers, to block unknown, never-before-seen exploits, providing crawlers, data harvesting, credential stuffing and other your best protection against zero-day attacks targeting your automated attacks to protect your web assets, mobile APIs, application. applications, users and sensitive data. Combining machine Operationally, FortiWeb machine learning relieves you of learning with policies such as threshold based detection, time-consuming tasks such as remediating false positives Bot deception and Biometrics based detection with superior or manually tuning WAF rules. FortiWeb continually updates good bot identification FortiWeb is able to block malicious the model as your application evolves, so there is no need to bot attacks while reducing friction on legitimate users. With manually update rules every time you update your application. advanced tracking techniques FortiWeb can differentiate FortiWeb enables you to get your code between humans, automated requests and repeat offenders, into production faster, eliminating the track behavior over time to better identify humans from bots need for time-consuming manual WAF and enforce CAPTCHA challenges when required. Together rules tuning and troubleshooting the false 0 with FortiView, FortiWeb’s graphical analysis dashboard positives that plague less advanced WAFs. Block Zero Day Threats organizations can quickly identify attacks and differentiate from good bots and legitimate users. 2 2 DATA SHEET | FortiWeb™ HIGHLIGHTS FortiWeb’s machine learning accurately detects anomalies and identifies which are threats. Unlike prevailing auto-learning detection models used by other WAF vendors that treat every anomaly as a threat, FortiWeb’s precision nearly eliminates false positive detections and catches attack types that others cannot. https://www.example.com/insert?firstname=Janette&lastname=Smit& https://www.example.com/insert?firstname=Mark&lastname=Smith User accidentally sends ”Janette Smit&” in application form field for User sends ”Mark Smith” in NAME application form field for NAME Normal FortiWeb ML predicts that this as an Anomaly from FortiWeb ML expects letters Application normally expected field only in this field. Traffic entries but not a threat FortiWeb ML see this as Anomalies ALLOWED Normal Application Traffic ATTACKS ALLOWED FortiWeb ML matches User sends ”SELECT *.* entry against characters SECURED BY FROM CUSTOMER” in normally expected for the FORTIGUARD® application form field for field and typical length of NAME field entry Support Vector Machine (SVM) separates threats FortiWeb ML with FortiGuard from anomalies using SVM predicts that this as an vector patterns from Anomaly AND AN ATTACK FortiGuard Labs BLOCKED https://www.example.com/insert?firstname=”SELECT *.* FROM CUSTOMER” FortiWeb’s AI-based machine learning evaluates application requests to determine if they are normal, benign anomalies, or anomalies that are threats. Deep Integration into the Fortinet Security WCCP External FortiGate FortiSandbox Fabric and Third-Party Scanners WAF ON As the threat landscape evolves, many new threats require a multi-pronged approach for protecting web-based applications. Advanced Persistent Threats that target users can take many different forms than traditional single- HTTP Traffic Files for Quarantined IPs Inspection vector attack types and can evade protections offered only by a single device. FortiWeb’s integration with FortiGate and FortiSandbox extend basic WAF protections through Web Server synchronization and sharing of threat information to both FortiWeb deeply scan suspicious files and share infected internal sources. FortiWeb also provides integration with leading third-party Third-Party vulnerability scanners including Acunetix, HP WebInspect, Scanners IBM AppScan, Qualys, ImmuniWeb and WhiteHat to provide dynamic virtual patches to security issues in application environments. Vulnerabilities found by the scanner are quickly and automatically turned into security rules by FortiWeb to protect the application until developers can address them in Integration with other Fortinet Security Fabric elements, including FortiGate and FortiSandbox, delivers APT protection and extends vulnerability the application code. scanning with leading third-party providers. 3 DATA SHEET | FortiWeb™ HIGHLIGHTS Solving the Challenge of False Secured by FortiGuard Threat Detections Fortinet’s Award-winning FortiGuard Labs is the backbone False positive threat detections can be very disruptive for many of FortiWeb’s layers in its approach to application and force many administrators to loosen security rules on security. Offered as five separate options, you can choose their web application firewalls to the point where many the FortiGuard services you need to protect your web often become a monitoring tool rather than a trusted threat applications. FortiWeb IP address reputation service protects avoidance platform. The installation of a WAF may take only you from known attack sources like botnets, spammers, minutes, however fine-tuning can take days, or even weeks. anonymous proxies, and sources known to be infected